================================================================== BUG: KASAN: use-after-free in nr_dec_obs net/netrom/nr_route.c:471 [inline] BUG: KASAN: use-after-free in nr_rt_ioctl+0x595/0xfb0 net/netrom/nr_route.c:692 Read of size 2 at addr ffff88802d444932 by task syz-executor374/5072 CPU: 0 PID: 5072 Comm: syz-executor374 Not tainted 6.1.124-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x15f/0x4f0 mm/kasan/report.c:427 kasan_report+0x136/0x160 mm/kasan/report.c:531 nr_dec_obs net/netrom/nr_route.c:471 [inline] nr_rt_ioctl+0x595/0xfb0 net/netrom/nr_route.c:692 sock_do_ioctl+0x152/0x450 net/socket.c:1204 sock_ioctl+0x47f/0x770 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7fd7f5ada8a9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 31 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe14aa0958 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fd7f5ada8a9 RDX: 0000000000000000 RSI: 00000000000089e2 RDI: 0000000000000005 RBP: 0000000000000000 R08: 00007fd7f5b28214 R09: 00007fd7f5b28214 R10: 00007fd7f5b28214 R11: 0000000000000246 R12: 00007ffe14aa097c R13: 00007ffe14aa09b0 R14: 00007ffe14aa0990 R15: 00000000000000a4 Allocated by task 5072: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:383 kmalloc include/linux/slab.h:563 [inline] nr_add_node+0x850/0x2210 net/netrom/nr_route.c:146 nr_rt_ioctl+0xd38/0xfb0 net/netrom/nr_route.c:651 sock_do_ioctl+0x152/0x450 net/socket.c:1204 sock_ioctl+0x47f/0x770 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 5072: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook mm/slub.c:1750 [inline] slab_free mm/slub.c:3661 [inline] __kmem_cache_free+0x25c/0x3c0 mm/slub.c:3674 nr_dec_obs net/netrom/nr_route.c:469 [inline] nr_rt_ioctl+0x2e1/0xfb0 net/netrom/nr_route.c:692 sock_do_ioctl+0x152/0x450 net/socket.c:1204 sock_ioctl+0x47f/0x770 net/socket.c:1321 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xf1/0x160 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Last potentially related work creation: kasan_save_stack+0x3b/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xb0/0xc0 mm/kasan/generic.c:486 call_rcu+0x163/0xa10 kernel/rcu/tree.c:2845 collapse net/ipv4/fib_trie.c:703 [inline] resize+0x24eb/0x2730 net/ipv4/fib_trie.c:906 replace+0x448/0x580 net/ipv4/fib_trie.c:530 inflate net/ipv4/fib_trie.c:624 [inline] resize+0x1048/0x2730 net/ipv4/fib_trie.c:869 trie_rebalance net/ipv4/fib_trie.c:1106 [inline] fib_insert_node net/ipv4/fib_trie.c:1150 [inline] fib_insert_alias+0xd2b/0x1280 net/ipv4/fib_trie.c:1164 fib_table_insert+0x7fb/0x1f20 net/ipv4/fib_trie.c:1378 fib_magic net/ipv4/fib_frontend.c:1104 [inline] fib_add_ifaddr+0x47f/0x1730 net/ipv4/fib_frontend.c:1126 fib_inetaddr_event+0x12b/0x2b0 net/ipv4/fib_frontend.c:1440 notifier_call_chain kernel/notifier.c:87 [inline] blocking_notifier_call_chain+0x104/0x1b0 kernel/notifier.c:382 __inet_insert_ifa+0x9cb/0xbd0 net/ipv4/devinet.c:569 inet_rtm_newaddr+0x8d3/0x18e0 net/ipv4/devinet.c:971 rtnetlink_rcv_msg+0x818/0xff0 net/core/rtnetlink.c:6150 netlink_rcv_skb+0x1cd/0x410 net/netlink/af_netlink.c:2493 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] netlink_unicast+0x7d8/0x970 net/netlink/af_netlink.c:1337 netlink_sendmsg+0xa26/0xd60 net/netlink/af_netlink.c:1859 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] ____sys_sendmsg+0x5a5/0x8f0 net/socket.c:2519 ___sys_sendmsg net/socket.c:2573 [inline] __sys_sendmsg+0x2a9/0x390 net/socket.c:2602 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 The buggy address belongs to the object at ffff88802d444900 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 50 bytes inside of 64-byte region [ffff88802d444900, ffff88802d444940) The buggy address belongs to the physical page: page:ffffea0000b51100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2d444 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea0000a3d8c0 dead000000000002 ffff888017c41640 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 16665685784, free_ts 0 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x18d/0x1b0 mm/page_alloc.c:2532 prep_new_page mm/page_alloc.c:2539 [inline] get_page_from_freelist+0x3731/0x38d0 mm/page_alloc.c:4328 __alloc_pages+0x28d/0x770 mm/page_alloc.c:5605 alloc_page_interleave+0x22/0x1c0 mm/mempolicy.c:2115 alloc_slab_page+0x6a/0x150 mm/slub.c:1794 allocate_slab mm/slub.c:1939 [inline] new_slab+0x84/0x2d0 mm/slub.c:1992 ___slab_alloc+0xc20/0x1270 mm/slub.c:3180 __slab_alloc mm/slub.c:3279 [inline] slab_alloc_node mm/slub.c:3364 [inline] __kmem_cache_alloc_node+0x19f/0x260 mm/slub.c:3437 __do_kmalloc_node mm/slab_common.c:935 [inline] __kmalloc+0xa1/0x230 mm/slab_common.c:949 kmalloc include/linux/slab.h:568 [inline] kzalloc include/linux/slab.h:699 [inline] kobject_get_path+0xb4/0x220 lib/kobject.c:152 kobject_uevent_env+0x29b/0x8c0 lib/kobject_uevent.c:544 device_add+0xa4f/0xfd0 drivers/base/core.c:3677 __video_register_device+0x3992/0x4740 drivers/media/v4l2-core/v4l2-dev.c:1037 video_register_device include/media/v4l2-dev.h:383 [inline] vivid_create_devnodes+0xf16/0x2f40 drivers/media/test-drivers/vivid/vivid-core.c:1544 vivid_create_instance drivers/media/test-drivers/vivid/vivid-core.c:1988 [inline] vivid_probe+0x5716/0x7420 drivers/media/test-drivers/vivid/vivid-core.c:2041 platform_probe+0x131/0x1b0 drivers/base/platform.c:1400 page_owner free stack trace missing Memory state around the buggy address: ffff88802d444800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff88802d444880: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc >ffff88802d444900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff88802d444980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff88802d444a00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc ==================================================================